CVE-2025-65805 — HIGH (CVSS 7.5)

Q: Is CVE-2025-65805 actively exploited?

No confirmed active exploitation of CVE-2025-65805 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-65805?

1. Patch: Upgrade OAI CN5G AMF beyond v2.1.9 as soon as a fixed release is available — monitor the upstream repository (last push: 2026-04-04). 2. Network segmentation: Restrict access to the N1 interface (UE-to-AMF) to known, trusted network segments; block external/untrusted sources at the firewall perimeter. 3. Input validation workaround: If running a custom build, apply an input-length guard on IMSI parsing in NAS message handlers prior to buffer write operations. 4. Detection: Alert on NAS Registration Request messages containing IMSI fields >64 bytes (valid IMSIs are 15 digits); correlate with AMF process crashes or restarts. 5. Runtime hardening: Confirm the deployed binary is compiled with stack canaries (-fstack-protector-strong), ASLR enabled, and NX/DEP to constrain RCE exploitability. 6. Inventory: Audit all private 5G deployments — OAI is common in academic, research, and industrial IoT environments that may also run AI workloads.

CISO Take

OpenAirInterface CN5G AMF (<=v2.1.9) contains a stack-based buffer overflow (CWE-121) triggered by sending an IMSI string exceeding 1000 characters to the N1 interface — no authentication, no user interaction, network-accessible. This matters to AI security teams because 5G core infrastructure underpins edge AI deployments, autonomous systems, and IoT sensor networks that feed AI pipelines; a compromised AMF can sever connectivity for entire 5G network slices. With 13,670 downstream dependents and an OpenSSF score of only 6.3/10, the blast radius extends well beyond direct adopters. No public exploit or CISA KEV entry exists today, but the trivial attack complexity (just craft an oversized IMSI and hit port N1) means weaponization is low-effort. Upgrade to a version beyond v2.1.9 immediately; if patching is blocked, restrict N1 interface access to trusted UE management networks via firewall rules and monitor for anomalous NAS message lengths.

Sources: NVD ATLAS OpenSSF

What is the risk?

High risk for organizations running OpenAirInterface-based 5G core deployments, particularly private 5G networks supporting AI edge inference, industrial IoT, or autonomous systems. CVSS 7.5 reflects the unauthenticated, network-accessible, zero-user-interaction nature of the flaw. No EPSS data available, but attack complexity is low — a single malformed NAS registration request is sufficient. The DoS path is certain; RCE likelihood depends on memory layout, ASLR/stack canary controls, and runtime hardening of the specific build. The absence of a patch version in the advisory increases residual risk.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
oai-cn5g-amf	pip	—	No patch
30.8K OpenSSF 6.3 13.8K dependents Pushed 6d ago 0% patched Full package profile →

Do you use oai-cn5g-amf? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 40% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

6 steps

Patch: Upgrade OAI CN5G AMF beyond v2.1.9 as soon as a fixed release is available — monitor the upstream repository (last push: 2026-04-04).
Network segmentation: Restrict access to the N1 interface (UE-to-AMF) to known, trusted network segments; block external/untrusted sources at the firewall perimeter.
Input validation workaround: If running a custom build, apply an input-length guard on IMSI parsing in NAS message handlers prior to buffer write operations.
Detection: Alert on NAS Registration Request messages containing IMSI fields >64 bytes (valid IMSIs are 15 digits); correlate with AMF process crashes or restarts.
Runtime hardening: Confirm the deployed binary is compiled with stack canaries (-fstack-protector-strong), ASLR enabled, and NX/DEP to constrain RCE exploitability.
Inventory: Audit all private 5G deployments — OAI is common in academic, research, and industrial IoT environments that may also run AI workloads.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Code Execution Inference API AML.T0006 - Active Scanning AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, Robustness and Cybersecurity Art.9 - Risk Management System

ISO 42001

A.6.2.5 - AI System Security A.9.3 - Information security for AI systems

NIST AI RMF

MANAGE-2.2 - Mechanisms exist to sustain and manage AI risk

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2025-65805?

OpenAirInterface CN5G AMF (<=v2.1.9) contains a stack-based buffer overflow (CWE-121) triggered by sending an IMSI string exceeding 1000 characters to the N1 interface — no authentication, no user interaction, network-accessible. This matters to AI security teams because 5G core infrastructure underpins edge AI deployments, autonomous systems, and IoT sensor networks that feed AI pipelines; a compromised AMF can sever connectivity for entire 5G network slices. With 13,670 downstream dependents and an OpenSSF score of only 6.3/10, the blast radius extends well beyond direct adopters. No public exploit or CISA KEV entry exists today, but the trivial attack complexity (just craft an oversized IMSI and hit port N1) means weaponization is low-effort. Upgrade to a version beyond v2.1.9 immediately; if patching is blocked, restrict N1 interface access to trusted UE management networks via firewall rules and monitor for anomalous NAS message lengths.

Is CVE-2025-65805 actively exploited?

No confirmed active exploitation of CVE-2025-65805 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-65805?

1. Patch: Upgrade OAI CN5G AMF beyond v2.1.9 as soon as a fixed release is available — monitor the upstream repository (last push: 2026-04-04). 2. Network segmentation: Restrict access to the N1 interface (UE-to-AMF) to known, trusted network segments; block external/untrusted sources at the firewall perimeter. 3. Input validation workaround: If running a custom build, apply an input-length guard on IMSI parsing in NAS message handlers prior to buffer write operations. 4. Detection: Alert on NAS Registration Request messages containing IMSI fields >64 bytes (valid IMSIs are 15 digits); correlate with AMF process crashes or restarts. 5. Runtime hardening: Confirm the deployed binary is compiled with stack canaries (-fstack-protector-strong), ASLR enabled, and NX/DEP to constrain RCE exploitability. 6. Inventory: Audit all private 5G deployments — OAI is common in academic, research, and industrial IoT environments that may also run AI workloads.

What systems are affected by CVE-2025-65805?

This vulnerability affects the following AI/ML architecture patterns: Edge AI inference over 5G, Industrial IoT AI pipelines, Autonomous vehicle connectivity, Private 5G-connected model serving.

What is the CVSS score for CVE-2025-65805?

CVE-2025-65805 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.19%.

Technical Details

NVD Description

OpenAirInterface CN5G AMF<=v2.1.9 has a buffer overflow vulnerability in processing NAS messages. Unauthorized remote attackers can launch a denial-of-service attack and potentially execute malicious code by accessing port N1 and sending an imsi string longer than 1000 to AMF.

Exploitation Scenario

An adversary targeting an organization's private 5G network (e.g., a smart factory using edge AI for quality control) scans for open N1 interface ports on the AMF host. They send a crafted NAS Registration Request with an IMSI value of 1001+ characters. The oversized string overflows the stack buffer in the AMF's NAS message parser, crashing the AMF process and immediately disconnecting all AI-enabled edge devices on the 5G slice — halting real-time inference, disrupting production lines, and creating a window for physical or logical follow-on attacks. A more sophisticated actor uses the same primitive to attempt RCE: by controlling the overflow payload to overwrite the return address (if stack protections are absent or bypassable), they execute shellcode in the context of the AMF process, gaining a foothold on the 5G core host and access to internal network segments hosting AI model serving infrastructure.